The tool


The philosophy of the tool is:

  1. Minimize the requirements as much as possible
  2. Use only AD native and supported protocols (LDAP, ADWS, SMB) without any “hack”
  3. Be scalable

As a consequence the tool doesn’t perform any check that requires administrator rights like the non secure DNS update problem. It does not check problems which require a maintained list, like for example, checking for non applied patches.

How it works

PingCastle is a stand alone program (not requiring installation) which produces reports for human or machine.

pingcastle how it works

PingCastle reads its own machine readable reports to build analysis or dashboard.


Active Directory Account

pingcastle requirements: no administratorThe PingCastle program needs an Active Directory account to connect to the AD to audit. No requirements is needed for this account. It can be an account without any privileges or even an account from a trusted domain. This account doesn’t require to be part of the local administrators group.

Server Side

There is no requirement on the server side.

However it is strongly recommended (but not mandatory) for performance reasons to install on the server  side a component named “Active Directory Web service” aka ADWS. It is installed by default on any domain where at least one domain controller has the OS Windows 2008 R2 or later. Having this component installed can divide the time required to compute the report by a factor of 10.

ADWS can be installed manually on Windows 2003 and Windows 2008 (require .NET Framework 3.5 SP1). The hot fix that may be needed for these OS is located here.

Client side

The program is supported on every Operating System supported by Microsoft without the installation of any component nor any local privilege.
From Windows Vista to Windows 10 and Windows 2008 to Windows 2016 in both 32 and 64 bits.
In addition, the program is known to be working on Windows XP and Windows 2003.

The analysis tool (PingCastle.exe) requires DotNet 3.0 (or next versions) which is available by default since Windows Vista.

The reporting tool (PingCastleReporting.exe) requires DotNet 3.5 (or next versions) which is available by default since Windows Seven. Files produced by the reporting tool are .xlsx and .pptx. To read them, you may install the Excel Viewer or the PowerPoint Viewer or any viewer compatible like OpenOffice.

The functionality to create the graph using Active Directory dumps may require the Sql Compact runtime (SqlCE). It is included by default by the .Net runtime but may not be present if executed on servers.